Generic tunnels

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@686 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -16,3 +16,5 @@ Changes since 1.4.6
 7) Added ADMINISABSENTMINDED option.
 
 8) Fixed adding addresses to ppp interfaces.
+
+9) Added generic tunnel support.

Shorewall/firewall

@@ -1187,6 +1187,34 @@ setup_tunnels() # $1 = name of tunnels file
 	echo "   OPENVPN tunnel to $1:$p defined."
     }
 
+    setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port]
+    {
+	local procotol
+	local p=
+
+	case $2 in
+	    *:*:*)
+		p=${2##*:}
+		protocol=${2%:*}
+		protocol=${2#*:}
+		;;
+	    *:*)
+		protocol=${2#*:}
+		;;
+	    *)
+		protocol=udp
+		p=5000
+		;;
+	esac
+
+	p=${p+=--dport $p}
+
+	addrule $inchain  -p $protocol -s $1 $p -j ACCEPT
+	addrule $outchain -p $protocol -d $1 $p -j ACCEPT
+
+	echo "   GENERIC tunnel to $1:$p defined."
+    }
+
     strip_file tunnels $1
 
     while read kind z gateway z1; do
@@ -1220,6 +1248,9 @@ setup_tunnels() # $1 = name of tunnels file
 		openvpn|OPENVPN|openvpn:*|OPENVPN:*)
 		    setup_one_openvpn $gateway $kind
 		    ;;
+		generic:*|GENERIC:*)
+		    setup_one_generic $gateway $kind
+		    ;;
 		*)
 		    error_message "Tunnels of type $kind are not supported:" \
 			"Tunnel \"$tunnel\" Ignored"

Shorewall/releasenotes.txt

@@ -86,3 +86,30 @@ New Features:
    stop". As part of stopping, Shorewall removes eth0:0 which kills my
    SSH connection to 192.168.1.5!!!
 
+4) Given the wide range of VPN software, I can never hope to add
+   specific support for all of it. I have therefore decided to add
+   "generic" tunnel support.
+
+   Generic tunnels work pretty much like any of the other tunnel
+   types. You usually add a zone to represent the systems at the other
+   end of the tunnel and you add the appropriate rules/policies to
+   implement your security policy regarding traffic to/from those
+   systems.
+
+   In the /etc/shorewall/tunnels file, you can have entries of the
+   form:
+
+   # TYPE			ZONE	GATEWAY		GATEWAY ZONE
+   generic:<protocol>[:<port>]	<zone>	<ip address>
+
+   where:
+
+       <protocol>	is the protocol used by the tunnel
+       <port>		if the protocol is 'udp' or 'tcp' then this
+			is the destination port number used by the
+			tunnel.
+       <zone>		is the zone of the remote tunnel gateway
+       <ip address>	is the IP address of the remote tunnel
+			gateway.
+
+

Shorewall/tunnels

@@ -10,13 +10,20 @@
 #	The columns are:
 #
 #	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ip"
-#			"gre", "6to4", "pptpclient", "pptpserver" or "openvpn".
+#			"gre", "6to4", "pptpclient", "pptpserver", "openvpn" or 
+#			"generic"
 #
 #			If type is "openvpn", it may optionally be followed
 #			by ":" and the port number used by the tunnel. if no
 #			":" and port number are included, then the default port
 #			of 5000 will be used
 #
+#			If type is "generic", it must be followed by ":" and
+#			a protocol name (from /etc/protocols) or a protocol
+#			number. If the protocol is "tcp" or "udp" (6 or 17),
+#			then it may optionally be followed by ":" and a
+#			port number.
+#
 #	ZONE	    --	The zone of the physical interface through which
 #			tunnel traffic passes. This is normally your internet
 #			zone.
@@ -85,5 +92,13 @@
 #
 #			openvpn:7777	net	4.33.99.124
 #
-# TYPE			ZONE	GATEWAY		GATEWAY ZONE	PORT
+#		Example 8:
+#
+#			You have a tunnel that is not one of the supported types.
+#			Your tunnel uses UDP port 4444. The other end of the
+#			tunnel is 4.3.99.124.
+#
+#			generic:udp:4444	net	4.3.99.124
+#
+# TYPE			ZONE	GATEWAY		GATEWAY ZONE
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE